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Response to Arguments 

1 . This communication is in response to applicants 1 amendment received on 
August 16, 2004. 

2. It is acknowledged that the amendments to claims 1 and 22 do not 
introduce new matter. 

3. Applicants' arguments have been fully considered but they are not 
persuasive. 

4. Applicants argue as follows: 

4.1 Regarding claim 1 , in the last two paragraphs of page 8 of the 
Remarks, applicants argue that the following are not anticipated by the cited 
references: 

"in said shared computer system, said shared computer system 
comprising an application service provider 1 '. 

Referring to Fig. 1, McNeil discloses shared computer systems such as 
the network 1 1 0 or any of the domains 1 1 6P, 1 1 6Q, 1 1 6R and 1 1 6S. Any 
individual computer device in these domains corresponds to an application 
provider or could provide other services to any station in another domain or to a 
client in the Internet 170. 

"associating said at least one virtual private network connections with a 
plurality of virtual local area networks". 
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Referring to Fig. 2, McNeil discloses a plurality of virtual local area 
networks that can have connections to clients in the Internet 170. Ahmad, on the 
other hand, discloses a system to support multiple virtual private networks 
(VPNs) in a public network by connecting customers in different premises to 
service providers through private paths (see abstract; figs. 2-4 and 7-9; col. 4, 
lines 8-42; col. 10-42). A person with ordinary skill in the art would be motivated 
to implement the teaching of Ahmad with the system of McNeil in order to 
associate at least one customer's VPN in the Internet 170 in Fig. 2 of McNeil with 
the plurality of VLANs in any of domains 116P, 116Q and 116P to provide private 
links between customers and the service providers. 

"associating at least one of said computer resources in said shared 
computer system with each of said plurality of virtual local area networks, 
whereby a domain for each of said plurality of client computers is extended to 
include said computer resources in said application service provider and said 
plurality of client computer domains are isolated from each other within said 
application service provider." And 

"McNeill therefore does not disclose or suggest the claimed shared 
computer system in which multiple client domains are extended and isolated. 
Similarly, Ahmed does not disclose a shared computer system in which multiple 
client domains are extended and isolated." 

Referring to Fig. 2, McNeil discloses a plurality of virtual local area 
networks (VLANs) in each domains 116P, 116Q and 116P. Each VLAN 



Application/Control Number: 09/678,933 Page 4 

Art Unit: 2132 

comprises at least one computer device that could serve as an application 
provider over the Internet 170 to a client. As stated above a person with ordinary 
skill in the art would be motivated to combine the teaching of Ahmad in the 
system of McNeil. In such a combined system when a client computer is 
connected through a secure private VPN over the Internet to any resources on 
any computer devices in any of the VLANs would form a private and secure 
circuit that would include the client computer and the said resource. Also Ahmad 
teaches and end-to-end virtual channel connections in a VPN service that 
connections are private i.e., isolated from each other (Ahmad, abstract; col. 3, 
lines 64-67; col. 4, lines 14-30). Furthermore, in response to applicant's 
arguments against the references individually, one cannot show nonobviousness 
by attacking references individually where the rejections are based on 
combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 
(CCPA 1981); In re Merck & Co., 800 F.2d 1091, 231 USPQ 375 (Fed. Cir. 
1986). 

4.2 Regarding claim 16, on page 9 of the Remarks, applicants argue 
that the cited references do not disclose or suggest: 

"... a configuration engine electrically connected to said at least one virtual 
local area network switch, said configuration engine comprising computer 
readable program code for configuring said at least one virtual local area network 
switch to changeably connect each of said plurality of virtual private network 
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connections to at least one of said plurality o computer resources while isolating 
said plurality of virtual private network connections from one another." 

McNeil discloses a management station corresponding to the recited 
configuration engine connected to at least one switch in order to configure the 
switches and establishes connectivity between a computer device containing 
resources in a domain such as 1 16P and a computer over the Internet 170 (see 
Fig.1, Domain 116P, Station 124M; col. 2, lines 35-50; col. 4, lines 9-11 and lines 
38-41; col. 5, lines 1-14). Furthermore, when the teaching of Ahmad combined 
with the system of McNeil, as stated above, the management station will facilitate 
the connections of VPNs to the computer resources on the computers located in 
any of the VLANs while isolating the connections from each other. 

4.3 Regarding claim 22, on page 1 1 of the Remarks, applicants argue 
that the cited references do not disclose or suggest: 

"a plurality of computer resources within an application service provider; 
means for securely connecting each of a plurality of client computers to a 
portion of said plurality of computer resources in said application service 
provider while isolating said portion of said plurality of computer resources 
from a second portion of said plurality of computer resources." 

Regarding the above argument, the same is applied as stated above with 
respect to the like elements of claim 1 and 16. 
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5. In light of the above submission the previous rejection of the claims is 
maintained with consideration of the amendments to claims 1 and 22 as follows. 



Double Patenting 

The nonstatutory double patenting rejection is based on a judicially created doctrine 
grounded in public policy (a policy reflected in the statute) so as to prevent the unjustified or 
improper timewise extension of the "right to exclude" granted by a patent and to prevent possible 
harassment by multiple assignees. See In re Goodman, 1 1 F.3d 1046, 29 USPQ2d 2010 (Fed. 
Cir. 1993); In re Longi, 759 F.2d 887, 225 USPQ 645 (Fed. Cir. 1985); In re Van Ornurn, 686 
F.2d 937, 214 USPQ 761 (CCPA 1982); In re Vogel, 422 F.2d 438, 164 USPQ 619 (CCPA 1970); 
and, In re Thorington, 418 F.2d 528, 163 USPQ 644 (CCPA 1969). 

A timely filed terminal disclaimer in compliance with 37 CFR 1.321(c) may 
be used to overcome an actual or provisional rejection based on a nonstatutory 
double patenting ground provided the conflicting application or patent is shown to 
be commonly owned with this application. See 37 CFR 1.130(b). 

Effective January 1 , 1 994, a registered attorney or agent of record may 
sign a terminal disclaimer. A terminal disclaimer signed by the assignee must 
fully comply with 37 CFR 3.73(b). 



Claims 1-22 are provisionally rejected under the judicially created doctrine 
of obviousness-type double patenting as being unpatentable over claims 1-20 of 
copending Application No. 09/584252. Although the conflicting claims are not 
identical, they are not patentably distinct from each other because the claims of 
this application are broader than the claims 1-20 of copending application. These 
claims do not expressly specify that a virtual local area network switch having a 
plurality of ports for connecting each client to at least one of the plurality of 
computer resources as recited in independent claims 1 and 13 of the co-pending 
application. These claims recite that a virtual private network (VPN) terminal 
device (corresponding to the recited switch) securely connecting a plurality of 
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client computers to a plurality of virtual local area network (VLAN) in order to 
access resources on at least one of the computers in one of the plurality of 
VLANs. The combined limitations of claims 1 , 2 f and 5 of the pending application 
correspond to the limitations of claim 1 in the co-pending application. The 
pending claim 1 recites that each of the plurality of client computers is associated 
with at least one virtual private network connection, wherein the client computers 
are remotely connected to at least one virtual private network termination device, 
and wherein said at least one virtual private network connection is established by 
said at least one virtual private network termination device. This limitation 
corresponds to "a plurality of client connection ports connected to said virtual 
local area network switch" recited in claim 1 of the co-pending application. Claim 
2 of the pending application recites that "each of the at least one virtual private 
network connections is uniquely 

associated with one of said plurality of virtual local area networks, so that a one 
to one 

correspondence exists between said at least one virtual private network 
connection and said plurality of virtual local area networks" which corresponds to 
the recitation "isolating said plurality of client connection ports from one another 
so that each of said client connection ports may be connected to at least one of 
said plurality of secure computer environments on said plurality of computers" in 
claim 1 of the co-pending application. 

Claim 5 of the pending application recites that a configuration engine in the 
shared computer system configures the at least one virtual private network 
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termination device (i.e., switch) which is disclosed in the claim 1 of the co- 
pending application. 

This is a provisional obviousness-type double patenting rejection because 
the conflicting claims have not in fact been patented. 



Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for 

all obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described 
as set forth in section 102 of this title, if the differences between the subject matter sought to 
be patented and the prior art are such that the subject matter as a whole would have been 
obvious at the time the invention was made to a person having ordinary skill in the art to which 
said subject matter pertains. Patentability shall not be negatived by the manner in which the 
invention was made. 



Claims 1-22 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over McNeil et al. (6,167,052; hereinafter McNeil) in view of Ahmed et al. 
(5,432,785; hereinafter Ahmed). 

Claims 1, 2, 5, and 16 

McNeil discloses methods and systems for establishing network 
connectivity by creating virtual LANs within a domain (corresponding to the 
recited shared computer system) (see abstract; Figs 1-2; col. 2, lines 17-29). 
McNeil discloses shared computer systems such as the network 1 10 or any of 
the domains 1 1 6P, 1 1 6Q, 1 1 6R and 1 1 6S (see Fig. 1 ). Any individual computer 
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device in these domains corresponds to an application provider or could provide 
other services to any station in another domain or to a client in the Internet 170. 

Referring to Fig. 2, McNeil discloses a plurality of virtual local area 
networks that can have connections to clients in the Internet 170. McNeil further 
discloses that each VLAN includes at least one station (corresponding to the 
recited computer resources) (i.e., associating each station with a VLAN) (see col. 
1 lines 30-40 and col. 3, lines 6-16). McNeil also discloses that the computers in 
different VLANs are connected to at least one switch (corresponding to the 
recited terminal device) having one or more ports (see Fig. 1 and col. 3, lines 9- 
30). McNeil discloses the deployment of a management station corresponding to 
the recited configuration engine connected to at least one switch in order to 
configure the switches and establishes connectivity between a computer device 
containing resources in a domain and a client computer over the Internet (see 
Fig.1, Domain 116P, Station 124M; col. 2, lines 35-50; col. 4, lines 9-11 and lines 
38-41; col. 5, lines 1-14). McNeil, however, does not expressly disclose that the 
clients who are remotely connecting (i.e., over a public network such as Internet) 
to the stations in VLANs at least through one switch, are associated with at least 
one virtual private network (VPN) connection. 

Ahmed discloses a broadband VPN system in which customers 
(corresponding to the recited client computers) are connecting to a switching 
system through at least one VPN connection and connecting to another switching 
system through a virtual path link within a public network and finally to the 
desired computer resources (see Figs. 1-4; col. 2, lines 46-67; col. 3, lines 5-67; 



Application/Control Number: 09/678,933 Page 
Art Unit: 2132 

col. 6, lines 3-23). Ahmad further discloses a system to support multiple virtual 
private networks (VPNs) in a public network by connecting customers in different 
premises to service providers through private paths (see abstract; Figs. 2-4 and 
7-9; col. 4, lines 8-42; col. 10-42). Ahmed also discloses that there ports on the 
switches for monitoring the traffic on each VPN connection (see col. 3, lines 20- 
27 and col. 6, lines 40-53). Moreover, as it illustrated by Fig. 4, Ahmed teaches 
that each customer is associated with at least one VPN connection at the 
switching system. 

It would have been obvious to a person of ordinary skill in the art at the 
time the invention was made to implement the VPN connectivity for each client 
through at least one switch port to a remote location as taught in Ahmed in the 
system of McNeil, because it would provide protected virtual private channel 
connections (corresponding to the recited a one to one correspondence) 
between clients and computer resources (i.e., isolating the VPNs connections 
from one another) (col. 3, lines 9-26). 

Claim 3 

McNeil discloses that clients from other domains or VPNs can connect to 
VLANs through one switch (see Fig. 2, where clients that may be associated with 
a VPN connect to VLANs 140a, 140b and 140c via switch 128.1 shown in Fig. 1). 
Since the traffic is forwarded either based on the MAC addresses or switch ports, 
thus, for example, the VPN connections are uniquely associated with one of the 
VLANs (abstract; col. 2, lines 38-50; col. 3, lines 7-16). 
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Claim 4 

McNeil discloses a management station corresponding to the recited 
configuration engine connected to the switch 128.1, in order to configure this 
switch to provide outside connection to computer resources (i.e., clients VPNs 
connections to the VLANs) (see, for example, col. 2, lines 35-50 and Fig. 1, 
Domain 1 16P, Station 124M, where clients from other domains or via Internet 
can connect to computers in domain 1 16P through switch 128.1). 

Claims 6 and 19 

It is assumed that "configuration engine reading computer requirements 
from at least one client" means to configure secure environments in portions of 
the secure computer system according to client needs (page 3 of the 
specification, lines 32-33). McNeil discloses that connection for client to access 
, resources on the network is restricted and provided based on some criteria (see, 
for example, col. 1, line 54-col. 2, lines 5; col. 10, lines 15-24). 

Claim 7 

It is assumed that "configuration engine calculating an optimum allocation 
of said plurality of computer resources to meet said computer requirements of 
said at least one client" means that the automating code 74 in the configuration 
engine 42 (see Fig. 2) may include load balancing systems or brokering systems 
which receive requests for computer resources 12 from clients and which 
automatically allocate resources 12 according to client need and priority, and 
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resource availability (page 10 of the specification, lines 6-1 1 ). McNeil discloses 
that connection for client to access resources on the network is restricted and 
provided based on some criteria (see, for example, col. 1 , line 54-col. 2, lines 5; 
col. 10, lines 15-24). 

Claim 8 

This claim is rejected as applied to like elements of claim 3 stated above. 
Claim 9 

Ahmed teaches that the customers connect to the computer resources 
through a dedicated line (col. 7, lines 1-6). 

Claims 10 and 11 

McNeil discloses that the implemented switches allow users to access 
resources over the Internet. See, for example, Fig. 1 that users are allowed to 
access, for example, Station 124.1 over the Internet 170 and through Switch 
128.1. 
Claim 12 

Ahmed teaches that customers connect to the resources on the shared 
computer system with a broadband line connection (see col. 3, line 50-col. 4, 
Iine20). 
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Claims 13 and 21 

McNeil discloses that management station creates access control lists 
(ACLs) and allow connections based on the ACLs, which corresponds to the 
recited authenticating client identification before configuring at least one VLAN 
(see, for example, col. 2, lines 26-34; col. 3, line 65-col. 4, line 6; col. 6, lines 14- 
24). 

Claims 14, 15 and 20 

McNeil discloses that firewalls are also used to further control the access 
of users to the resources on a shared system and a management station for 
configuring the domain (see, for example, col. 2, lines 1-5 and lines 35-40; col. 9, 
lines 32-49). 

Claims 17 and 18 

McNeil discloses that the management station includes software and 
provides a graphical user interface for network administrator to configure the 
VLAN (see, for example, abstract; Fig. 1 ; col. 4, lines 38-41 ; col. 9, lines 35-43). 

Claim 22 

This claim is rejected as applied to the like elements of claim 1 and 16 and 
further the following: 

McNeil discloses a plurality of stations (corresponding to the recited 
computer resources) scattered in different domains (see Figs. 1-2). The stations 
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in each domain are grouped in one or more VLANs (see Figs. 1-2). McNeil 
further discloses that VLANs are implemented by the LAN switches (col. 1, lines 
61-62). Clients from another domain or via Internet access the computer 
resource in each VLAN through a switch using IP addresses (col. 1, lines 40-53). 
The IP address is translated to a MAC address by routers normally located at the 
edge of each network (col. 1 , lines 50-53). A switch restricts traffic to a VLAN 
(col. 1 , lines 63-65) and forwards packets based on a station's MAC address only 
if that station exists in the VLAN (col. 1 , lines 46-47 and col. 3, lines 7-9). 
Furthermore, McNeil discloses that each port of a switch connected to specific 
segment of the network (col. 3, lines 11-16). Thus, a switch isolates connection 
of a client to a station in one VLAN from other stations on another VLAN or in the 
same VLAN that corresponds to the recited securely connecting a client to a 
portion of shared computer system while isolating that portion from other portions 
of the system. For example, Fig. 2 illustrates that when a client accesses a 
resource on VLAN 140a, its connection is isolated from VLAN 140b and VLAN 
140c. 

Conclusion 

THIS ACTION IS MADE FINAL. Applicant is reminded of the extension of 
time policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire 
THREE MONTHS from the mailing date of this action. In the event a first reply is 
filed within TWO MONTHS of the mailing date of this final action and the advisory 
action is not mailed until after the end of the THREE-MONTH shortened statutory 
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period, then the shortened statutory period will expire on the date the advisory 
action is mailed, and any extension fee pursuant to 37 CFR 1 .136(a) will be 
calculated from the mailing date of the advisory action. In no event, however, will 
the statutory period for reply expire later than SIX MONTHS from the mailing 
date of this final action. 

Any inquiry concerning this communication or earlier communications from 
the examiner should be directed to Abdulhakim Nobahar whose telephone 
number is 571-272-3808. The examiner can normally be reached on M-T 8-6. 

If attempts to reach the examiner by telephone are unsuccessful, the 
examiner's supervisor, Gilberto Barron can be reached on 571-272-3799. The 
fax phone number for the organization where this application or proceeding is 
assigned is 703-872-9306. 

Information regarding the status of an application may be obtained from 
the Patent Application Information Retrieval (PAIR) system. Status information 
for published applications may be obtained from either Private PAIR or Public 
PAIR. Status information for unpublished applications is available through 
Private PAIR only. For more information about the PAIR system, see http://pair- 
direct.uspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll- 
free). 



Abdulhakim Nobahar 




February 2, 2005 




GILBERTO BARRON J** 
SUPERVISORY PATENT EXAMINER 
TECHNOLOGY CENTER 2100 



